Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Infrastructure you can (mostly) trust

Building Infrastructure you can (mostly) trust

In this talk, I look at how to build codified infrastructure that you can (mostly) trust and highlight important patterns that help in limiting the blast radius of changes.

This version of the talk was given at DevOops in November 2021.

---

Companion Code: github.com/ksatirli/building-infrastructure-you-can-mostly-trust

Kerim Satirli

November 09, 2021
Tweet

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. Building Infrastructure
    you can (mostly) trust.

    View full-size slide

  2. TEMP
    HUM
    NOISE
    LUX
    PAX
    GATEWAY 1
    IN OUT
    GATEWAY 2
    IN OUT
    GATEWAY N
    IN OUT
    CLOUD
    INTERNAL

    View full-size slide

  3. DEADLINE:
    TBD
    :)
    * improve code
    TO DO

    View full-size slide

  4. Deployment Guide: SQL Server
    rev. 12
    DEADLINE:
    ASAP
    * SQL Server (HA)
    :(
    TO DO
    1 / 23

    View full-size slide

  5. Deploy for upcoming Exposition?
    S. Miller
    to: me, A. Chyornyj

    View full-size slide

  6. TERMINAL
    > terraform plan -out="iot.tfplan"
    Plan: 8 to add, 0 to change, 0 to
    destroy.
    ────────────────────────────────────────
    Saved the plan to: iot.tfplan
    Run the following command to apply:
    terraform apply "iot.tfplan"

    View full-size slide

  7. Out-Group
    external partners
    General Public
    OSS contributions
    You
    In-Group
    associated teams,
    rest of organization
    Neighbours
    direct teammates

    View full-size slide

  8. 01
    Works On My Machine
    Trusting Yourself

    View full-size slide

  9. CODE EDITOR
    resource "yandex_compute_instance" "exposition" {
    name = "vdnkh-1"
    platform_id = "standard-v1"
    zone = var.yandex_zone
    resources {
    cores = 20
    memory = 48
    }
    boot_disk {
    auto_delete = true
    initialize_params {
    image_id = data.yandex_compute_image.ubuntu.image_id
    }
    }
    !!"
    Trustable
    Code

    View full-size slide

  10. TERMINAL
    > git log -1
    commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !# main)
    Author: Kerim Satirli
    Date: Tue Nov 9 09:41:00 2021 +0200
    linting
    Trustable
    Code

    View full-size slide

  11. TERMINAL
    > git log !$show-signature -1
    commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !# main)
    gpg: Signature made Tue Nov 9 09:41:00 2021
    gpg: using RSA key DAC9F8147655C16210FC5BA84E06DF3A215B79A8
    gpg: Good signature "[email protected]"
    Author: Kerim Satirli
    Date: Tue Nov 9 09:41:00 2021 +0200
    linting
    Trustable
    Code

    View full-size slide

  12. github.com/operatehappy/packer-hashicorp
    Trustable
    Code

    View full-size slide

  13. TERMINAL
    > terraform validate

    │ Error: Reference to undeclared input variable

    │ on compute.tf line 5
    │ in resource "yandex_compute_instance" "exposition":

    │ 5: zone = var.yandex_zon

    │ An input variable with the name "yandex_zon" has not been
    │ declared.

    │ Did you mean "yandex_zone"?

    Validation
    (basic)

    View full-size slide

  14. TERMINAL
    > pre-commit run !$all-files
    Check for added large files............................Passed
    Check for case conflicts...............................Passed
    Check for merge conflicts..............................Passed
    Terraform fmt..........................................Passed
    Terraform validate.....................................Passed
    Validation
    (basic)

    View full-size slide

  15. TERMINAL
    > tflint
    Validation
    (advanced)
    1 issue(s) found:
    Notice: resource name `exposition-test` must match the
    following format: snake_case (terraform_naming_convention)
    on compute.tf line 2:
    2: resource "yandex_compute_instance" "exposition-test" {
    Reference: github.com/terraform-linters/tflint/blob/master/
    docs/rules/terraform_naming_convention.md

    View full-size slide

  16. CODE EDITOR
    Version
    Pinning
    terraform {
    required_providers {
    yandex = {
    source = "yandex-cloud/yandex"
    version = "0.66.0"
    }
    }
    required_version = "1.0.10"
    }

    View full-size slide

  17. CODE EDITOR
    Version
    Pinning
    terraform {
    required_providers {
    yandex = {
    source = "yandex-cloud/yandex"
    version = "0.66.0"
    }
    }
    required_version = "1.0.10"
    }

    View full-size slide

  18. Compatibility
    Promises
    https://www.terraform.io/docs/language

    Learn more about the <a href="https://www.terraform.io/docs/language/v1-compatibility-promises.html">Terraform 1.0 Compatibility Promises</a>.

    View full-size slide

  19. TERMINAL
    > terraform init
    Initializing provider plugins!!"
    - Finding yandex-cloud/yandex versions matching "0.66.0"!!"
    - Installing yandex-cloud/yandex v0.66.0!!"
    - Installed yandex-cloud/yandex v0.66.0 (key ID E40F590B50BB8E40)
    Version
    Pinning

    View full-size slide

  20. CODE EDITOR
    Version
    Pinning
    providers "registry.terraform.io/yandex-cloud/yandex" {
    version = "0.66.0"
    constrains = "0.66.0"
    hashes = [
    "h1:oThGd+Ls!!"84poGbY=",
    "zh:2eb19ceb!!"bc734a96",
    "zh:3f094b5b!!"3647a69d",
    "zh:43f1c9f0!!"996adb2c",
    "zh:44ca4c74!!"928943c9",
    "zh:609f33ad!!"9f1592ce",
    "zh:6da9c95b!!"1d179d88",
    "zh:6deacbba!!"bc2031a1",
    "zh:77283a62!!"60a436da",
    "zh:8a12d8cb!!"a683aa4c",
    "zh:9c91491d!!"2d40e0fc",
    "zh:b3b37f83!!"4ca284fd",
    "zh:dc8cd0d2!!"fff4016f",
    "zh:e298c674!!"f5e72b26",
    ]
    }

    View full-size slide

  21. ▪ formatting
    ▪ linting
    ▪ version pinning
    Works On My Machine

    View full-size slide

  22. 02
    Architecture to form
    Trust Relationships
    Trusting Your Team

    View full-size slide

  23. CODE EDITOR
    variable "yandex_token" {
    type = string
    sensitive = true
    description = "IAM token for authentication."
    }

    View full-size slide

  24. CODE EDITOR
    # see registry.terraform.io/providers/yandex-cloud/yandex/latest/docs#zone
    variable "yandex_zone" {
    type = string
    default = "ru-1c"
    # see cloud.yandex.com/en/docs/overview/concepts/geo-scope
    validation {
    condition = contains(["ru-1a", "ru-1c"], var.yandex_zone)
    error_message = "Value must be one of `ru-1a` or `ru-1c`."
    }
    }

    View full-size slide

  25. CODE EDITOR
    Output
    output "console_compute_instances_overview" {
    description = "URL for Compute Overview."
    value = "console.cloud.yandex.com/!!""
    }
    output "yandex_folder_id" {
    description = "Yandex.Cloud Folder ID."
    sensitive = true
    value = var.yandex_folder_id
    }

    View full-size slide

  26. TERMINAL
    > terraform plan
    Terraform will perform the following actions:
    # yandex_compute_disk.os_disk will be created
    + resource "yandex_compute_disk" "os_disk" {}
    # yandex_compute_disk.data_disk will be created
    + resource "yandex_compute_disk" "data_disk" {}
    # yandex_compute_instance.main will be created
    + resource "yandex_compute_instance" "main" {}
    # yandex_dns_zone.main will be created
    + resource "yandex_dns_zone" "main" {}
    Codify
    Patterns

    View full-size slide

  27. Codify
    Patterns
    https://github.com/im2nguyen/rover

    View full-size slide

  28. Minimally Viable Pattern
    Networking Module
    ▪ Resources
    – vpc_network
    – vpc_subnet(s)
    – vpc_security_group
    ▪ Inputs / Outputs
    – var.cidr_range
    – dns_zone
    – iam_service_account
    Compute Module
    ▪ Resources
    – compute_instance
    – compute_disk(s)
    – dns_recordset(s)
    ▪ Inputs / Outputs
    – vpc_subnet
    – dns_zone
    – iam_service_account
    IAM Module
    ▪ Resources
    – resourcemanager_folder
    – iam_*
    ▪ Inputs / Outputs
    – var.zone
    – var.folder_id
    – iam_service_account

    View full-size slide

  29. TERMINAL
    > cd module-example !& tree
    ├── examples
    ├── CHANGELOG.md
    ├── LICENSE
    ├── README.md
    ├── main.tf
    ├── output.tf
    ├── terraform.tf
    └── variables.tf
    Module
    Structure

    View full-size slide

  30. CODE EDITOR
    resource "yandex_compute_instance" "exposition" {
    name = "vdnkh-1"
    platform_id = "standard-v1"
    zone = var.yandex_zone
    !!"
    }
    moved {
    from = yandex_compute_instance.exposition
    to = yandex_compute_instance.main
    }
    Config-driven
    Move
    (Terraform 1.1)

    View full-size slide

  31. CODE EDITOR
    Module
    Defaults
    module "website" {
    source = "vdnkh/website/yandex"
    version = "1.0.0"
    folder_id = var.yandex_folder_id
    zone = var.yandex_zone
    }

    View full-size slide

  32. CODE EDITOR
    Protecting
    Secrets
    provider "yandex" {
    token = var.yandex_token
    cloud_id = var.yandex_cloud_id
    folder_id = var.yandex_folder_id
    zone = var.yandex_zone
    }

    View full-size slide

  33. CODE EDITOR
    Protecting
    Secrets
    variable "yandex_token" {
    type = string
    sensitive = true
    description = "IAM token for authentication."
    }
    output "var.yandex_folder_id" {
    description = "Yandex.Cloud Folder ID."
    sensitive = true
    value = var.yandex_folder_id
    }

    View full-size slide

  34. TERMINAL
    > terraform-docs .
    README.md updated successfully
    Generated
    Docs

    View full-size slide

  35. Generated
    Docs
    git.io/JX2mP

    View full-size slide

  36. TEMP
    HUM
    NOISE
    LUX
    PAX
    GATEWAY 1
    IN OUT
    GATEWAY 2
    IN OUT
    QUARANTINE
    CLOUD
    GATEWAY N
    IN OUT
    INTERNAL

    View full-size slide

  37. ▪ validate your inputs
    ▪ over-document everything
    ▪ modularize with minimalism in mind
    Trust Relationships

    View full-size slide

  38. ▪ slides:
    ▪ code:
    Resources
    speakerdeck.com/ksatirli/building-infrastructure-you-can-mostly-trust
    github.com/ksatirli/building-infrastructure-you-can-mostly-trust

    Find more resources on <a href="https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust">github.com/ksatirli/building-infrastructure-you-can-mostly-trust</a>.

    View full-size slide

  39. Sr. Developer Advocate at HashiCorp
    he/him
    @ksatirli
    Kerim
    Satirli

    Find me on <a href="https://twitter.com/ksatirli">twitter.com/ksatirli</a>.

    View full-size slide